Patchwork [PATCHv2,net-next,1/3] xfrm: check user specified spi for IPComp

mail settings
Submitter fan.du
Date Dec. 15, 2013, 9:19 a.m.
Message ID <>
Download mbox | patch
Permalink /patch/301335/
State Not Applicable
Delegated to: David Miller
Headers show


fan.du - Dec. 15, 2013, 9:19 a.m.
IPComp connection between two hosts is broken if given spi bigger
than 0xffff.


ip xfrm policy update dst src dir out action allow \
       tmpl dst src proto comp spi $OUTSPI
ip xfrm policy update src dst dir in action allow \
       tmpl src dst proto comp spi $INSPI

ip xfrm state add src dst  proto comp spi $INSPI \
		comp deflate
ip xfrm state add dst src  proto comp spi $OUTSPI \
		comp deflate

tcpdump can capture outbound ping packet, but inbound packet is
dropped with XfrmOutNoStates errors. It looks like spi value used
for IPComp is expected to be 16bits wide only.

Signed-off-by: Fan Du <>
 net/xfrm/xfrm_user.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)


diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index f964d4c..8543b1b 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -181,7 +181,9 @@  static int verify_newsa_info(struct xfrm_usersa_info *p,
 		    attrs[XFRMA_ALG_AEAD]	||
 		    attrs[XFRMA_ALG_CRYPT]	||
 		    attrs[XFRMA_ALG_COMP]	||
-		    attrs[XFRMA_TFCPAD])
+		    attrs[XFRMA_TFCPAD]		||
+		    (ntohl(p->id.spi) >= 0x10000))
 			goto out;